A Guide to M&A Success

Anthony Decicco
Matthew Jacobs
© Black Duck 2014
Speakers

Anthony Decicco
Partner
GTC Law Group

Matthew H. Jacobs
General Counsel
Black Duck Software, Inc.

2 © Black Duck 2014

Today’s Agenda

• Open Source Trends

• Open Source Software license concerns
• Open Source in Mergers & Acquisitions
• Preparing for transactions: steps involved in the due
diligence process
• Concerns of acquirers and investors
• Q&A

3 © Black Duck 2014

“Software is eating the world.”
Marc Andreessen - 2012

4 © Black Duck 2014

Open Source Trends

Black Duck
KnowledgeB
ase

2,300+ licenses

4B+ files/1,000,000 +
unique projects

10+ Million >7,500+ sites Nearly 55,000

staff years security vulnerabilities
5 © Black Duck 2014
What is FOSS?

Third-party
• It’s third party software Software

• No single “official” definition FOSS

• However…FOSS is software licensed

under an open source license.

6 © Black Duck 2014

Primary OSS License Categories

• Permissive Licenses
• Licensee can use, copy, modify and distribute the software
• Licensee is allowed to combine the source with open source
or proprietary software
• Licensee is NOT obligated to distribute the source code of
derivative works Permissive:
• BSD
• MIT
• Copyleft Licenses
• Any Licensee modifications to the software must be
distributed under the same reciprocal OSS license
• Copyleft licenses are substantially more complex than
permissive licenses Copyleft:
• GPL
See www.opensource.org
• MPL

7 © Black Duck 2014

 Top 20 Open Source Licenses
Ranked according to number of open source
projects using the license:
 Top 10 licenses account for 93%
 Top 20 licenses account for 97%
 GPL family of licenses account for 53%

Source: //www.blackducksoftware.com/oss/licenses#top20
April 2014
8 © Black Duck 2014
 Open Source is Everywhere

FOSS Community

Internally
Developed
Code

Outsourced Code
Development
Your Software Application
Commercial THE ENTERPRISE
3rd-Party Code

9 © Black Duck 2014

Company Benefit: Less is More
“Enable organizations and developers to use open source
technologies and methods to build software faster, better and
cheaper.”

80%
30%

Average* Best in class

*Source: IDC 2012
10 © Black Duck 2014
Open Source in M&A

11 © Black Duck 2014

Some Notes on Scope

• Third Party/In-Licensed Software

• Open source, but also freeware and commercial
• Object code, binary code, source code, firmware, microcode, drivers, libraries, routines
and subroutines
• APIs, SDKs, protocols, specifications and interface definitions
• SaaS
• Really any in-licensed software/service for developing, maintaining, supporting and
offering your products and services

• Transactions
• Mergers & Acquisitions
• Divestitures
• Financings, including VC investments
• Loans
• IPOs
• Customer agreements

• Business Models
• Traditional distributed
• Software as a service
• Internal use
12 © Black Duck 2014
 Impact on Transaction:
Why Should I Care About This?
• Macro Impact:
• Delay
• Signing
• Closing
• Pricing
• Deal certainty
• Kill the deal

• Particular Issues:
• Inability to cleanly make reps in the deal
• Breach of licenses; automatic termination
• Copyright infringement
• ‘Viral’ infection of proprietary code
• Dependence on code from competitor/hostile
party
• Automatic grant of licenses to certain of your
patents
• Defensive patent termination rights
• Transfer/assignment/change-of-control
issues
• Under licensing; not enough seats/licenses
• Combinations of components under
incompatible licenses
• Security vulnerabilities
• Notice and attribution non-compliance
• Failure to comply with licenses for “fourth party”
components

13 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• Story of the unfortunate seller

• Story of the unfortunate buyer

14 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• XimpleWare Corp. v. Versata Software Inc. et al., case
number 3:13-cv-05160, in the U.S. District Court for the Northern District of California, filed
November 5, 2013

Summary of Facts:
• Trilogy, which makes automotive purchasing-related software, acquired Versata, which owns
several different software companies
• Versata is involved in a dispute with its customer Ameriprise Financial as Ameriprise tried to
write its own software to replace the software from Versata
• As part of this dispute it comes out that the software Versata licensed to Ameriprise contains
code from XimpleWare. In addition, it appeared that Versata removed and altered the copyright
notices to conceal the fact that the code was from XimpleWare. Ameriprise distributed the
Versata product to 1000s of its contractors
• XimpleWare makes a high performance XML parser/processor that is dual licensed pursuant to
the GPLv2 and a commercial license; none of the defendants have a commercial license
XimpleWare also has patents relating to XML parsing/processing
• XimpleWare separately sues for patent infringement and copyright infringement, alleging damages
in excess of $150MM in the copyright suit

15 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• XimpleWare Corp. v. Versata Software Inc. et al., case
number 3:13-cv-05160, in the U.S. District Court for the Northern District of California, filed
November 5, 2013

XimpleWare is claiming:
• Direct copyright infringement; knowing and willful
• Contributory and vicarious copyright infringement; knowing and willful
• Violation of Lanham Act §43(A); reverse passing off
• Breach of contract
• Did not comply with the GPL since did not make source code available
• GPL terminated given non-compliance, so unlicensed
• Breach of implied covenant of good faith and fair dealing under California law; entitles to punitive
damages - Dismissed
• Unjust enrichment
• Intentional interference with prospective economic advantage - Dismissed
• Unfair competition
• Declaratory relief
• Damages: in excess of $150MM, wants enhanced damages which it claims possibly triples amount

16 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• XimpleWare Corp. v. Versata Software Inc. et al., case
number 3:13-cv-05160, in the U.S. District Court for the Northern District of California, filed
November 5, 2013

Then…:
• XimpleWare moves for a temporary restraining order but is denied
• Versata files motion to dismiss but is denied; Versata claims:
• It is licensed under the GPL and cites “mere aggregation” clause
• XimpleWare code and Versata code is on the same storage media, but are separate modules not
integrated with each other
• Versata included the XimpleWare source code in the distributions
• XimpleWare does not own the source code given it has taken contributions
• Pursuant to Section 6 of the GPL its customers “automatically receive[ ] a license from the original
licensor to copy, distribute or modify the Program subject to [the GPL]” and that the GPL does not
restrict use since “[t]he act of running the Program is not restricted”
• Several of XimpleWare’s claims are too vague
• Texas law applies, not California law, so the California state law claims are inapplicable
• Note that Versata has already shipped a patch that removes the XimpleWare code
• Pre-trial preparation order: Discovery cut-off - December 2014; Jury trial - April 2015

17 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• Continuent, Inc. v. Tekelec, Inc., case number 3:13-cv-01550, in the
U.S. District Court for the Southern District of California, filed July 2, 2013

Summary of Facts and Claims:

• Continuent makes database clustering and replication software named Tungsten
Replicator which is dual licensed pursuant to the GPLv2 and a commercial license.
Continuent also sells support services
• Tekelec is a provider of network signaling, policy control, and subscriber data
management solutions for communications networks and was acquired by Oracle in
2013
• Continuent alleges that Tekelec downloaded Tungsten, modified it and embedded it in
Tekelec’s Subscriber Data Management product which was distributed to customers;
Tekelec does not have a commercial license for Tungsten
• Continuent claims Tekelec has not complied with the terms of the GPL, including
providing notices, source code and source code offers, which means its license
terminated and all subsequent distributions were unlicensed (i.e. copyright
infringement)

18 © Black Duck 2014

 Impact on Transaction:
Why Should I Care About This?
• Continuent, Inc. v. Tekelec, Inc., case number 3:13-cv-01550, in the
U.S. District Court for the Southern District of California, filed July 2, 2013

Tekelec’s defenses include:

• Non-infringement of copyright
• Lack of ownership
• Tekelec is complying with all applicable requirements of GPLv2
• Implied license
• Fair use
• De minimis copying
• Laches
• Waiver
• Unclean hands

• Case recently dismissed, with prejudice, on February 28, 2014; likely settled

19 © Black Duck 2014

 Impact on Due Diligence:
What Should I Expect?
• Due Diligence Requests
• List of in-licensed software, with license and usage for each
• Time to produce the list
• Third party/in-licensed software review

• Third Party/In-Licensed Software Policy

(or lack thereof)
• Quickly learn a great deal about a company’s business, legal and engineering
practices
• Date implemented
• Written
• Approval process
• Documentation function
• Mechanism for on-going compliance

• Disclosure Schedules

20 © Black Duck 2014

Typical Disclosure Schedule Requirements
Identify All In-
Information for List of Contracts
Licensed Software
Each Component: Pursuant to Which:
Components
• Incorporated, • Applicable license • Company has agreed to
embedded or agreement create or maintain
integrated • How incorporated, interoperability or
• Used to offer any embedded or integrated compatibility with any
Company • How used internally third party
product/technology • How distributed or software/technology
• Sold with any Company bundled; distinguish • Company has the right
product/technology source and binary; to access any software
• Otherwise distributed linking as a service, platform
by Company • How modified as a service,
• How hosted; allow infrastructure as a
• Used or held for use
others to host service, cloud service or
by Company, including
similar service
use for development, • Relevant Company
maintenance, support products/technologies • Company has the right
and testing to access, link to or
• Payment obligations otherwise use data or
• Audit rights content

21 © Black Duck 2014

Typical Disclosure Schedule Requirements

Exceptions:
• Generally available commercial
off-the-shelf software with value
of less than $1000-$5000
• Fourth party code; without
knowledge
• Internal use only, non-
development related software
(e.g. CRM, HR and accounting
software); may be covered
elsewhere
• In-licensed software incorporated
into office equipment or other
equipment/products purchased or
leased

22 © Black Duck 2014

 Impact on Definitive Agreement:
How Do I Address This Risk?
• Reps and warranties

• Remediation-focused closing conditions and best

efforts covenants
• Code remediation
• Legal remediation

• Specific indemnities
• At a minimum for errors/omissions and breaches/non-compliance with in-licensed
software related reps
• In respect of certain agreements, licensors and components

• Additional escrows
• Set aside for specific issues and to back-stop specific indemnities

23 © Black Duck 2014

Typical M&A Reps Relating to In-Licensed Software

Company has not accessed,

Except as scheduled, used, distributed, hosted or
The Company:
Company has not: modified any third party software
in such a manner as to:
• Require disclosure or distribution
• Incorporated third of any Company • Has no plans to do
party software into, or product/technology in source any of the foregoing
code form
combined third party • Require the licensing of any • Is in compliance [in
software with, any Company product/technology for all material respects]
Company the purpose of making derivative
works/modifications with the licenses
product/technology • Grant the right to decompile, • Has not been
• Distributed or reverse engineer or otherwise
derive the source of any Company subjected to an audit,
modified any third product/technology nor received any
party software in • Require distribution of any
Company product/technology at notice of intent to
conjunction with or for no charge or with limited usage conduct any such
use with any restrictions
• Limit in any manner the ability to
audit
Company charge fees or seek compensation • Has no payment
product/technology in respect of any Company
obligations, except as
product/technology
• Place any limitation on the right of scheduled
the Company to use, host or
distribute any Company
product/technology

24 © Black Duck 2014

 Getting Ready:
What Should I Be Doing Now?
• Overall
• Identify, quantify and mitigate third party software-related risks

• Buyer/Investor
• Update due diligence request lists
• Update diligence process
• Include in-licensed software audit/code scan
• Kick-off promptly following LOI
• Prioritization
• Update reps and warranties
• Develop policies regarding acceptable third party software usage

25 © Black Duck 2014

 Getting Ready:
What Should I Be Doing Now?
• Seller/Investee
• Conduct an in-licensed software audit/code scan
• Put in place a written in-licensed/third party software policy
• Prepare for diligence; consider industry practices

• Consider other uses of the information

• Integration
• Running the business
• Changing the model

26 © Black Duck 2014

How to Conduct a Third Party Software Review

• 1. Identify
• Aim to identify all of the third party software (both commercial
and open source) and hardware embedded in or used in the
development, maintenance, support and offering of products,
along with the applicable licenses and usage facts
• How?
• Self-disclosure
• Check work stations
• Procurement records
• String/keyword searching
• Code scans

27 © Black Duck 2014

How to Conduct a Third Party Software Review

• 2. Analyze
• Understand incompatibilities between the described or
proposed use of a given third party component and the license
terms for that component
• Analyze license terms which may be incompatible with current
or proposed business practices
• Consider:
• Internal use
• Distribution
• Hosting and allowing others to host
• Modification

28 © Black Duck 2014

How to Conduct a Third Party Software Review

• 3. Plan/Remediate
• Create a remediation plan to address identified issues
• Code remediation:
• Removing, rewriting or replacing code
• Costs: Engineering, time
• Legal remediation:
• Amending/terminating agreements, seeking clarifications, seeking
waivers of past liability, re-licensing components and obtaining new
licenses
• Costs: Legal, time, fees to licensors
• Notice and attribution:
• Does not remedy past non-compliance
• Risk mitigation/allocation:
• Additional representations and warranties
• Remediation-focused closing conditions and best efforts covenants
• Specific indemnities
• Additional escrows

29 © Black Duck 2014

Final Thoughts

• Can have a major impact on a transaction

• The more you look the more you find
• Often insufficient to rely on reps alone
• Guaranteed poor results if:
• Seller: ignore this area until a transaction
• Buyer: ignore this area as part of transaction diligence
• Difficult to undo the effects of poor practices with respect to in-licensed
software:
• Can’t undo copyright infringement; impractical to obtain the waivers
• Large analysis, and possible remediation, as components pile up
• Far better to avoid these issues in the first place
• A little can go a long way

30 © Black Duck 2014

Conclusion

• Unmanaged use of open source can lead to:

• Lost deals
• Delayed deal
• Reduced price/valuation
• Lost revenue
• There are many paths for unknown components to
enter a code base
• It’s difficult to correct problems during an M&A
transaction
• OSS due diligence helps companies avoid the risks
• Analyze contents using a comprehensive KnowledgeBase
• Provide a comprehensive view of what’s in the code

31 © Black Duck 2014

Black Duck Open Source Audit Services

+8 1,000’s $40B+
M&A Transactions
Years of Audits
Experience
• Discover unknown open source
• More thorough and accurate analysis
than manual audits
• Identify encryption technologies that
can restrict the legal export of software
• Identify security vulnerabilities that can
impact software asset value

Free quote: info@blackducksoftware.com

32 © Black Duck 2014
Questions?

Legal Webinars
www.blackducksoftware.com/resources/we
binars/legal
@black_duck_sw